[1] This is a follow-up from the 23andMe Team. Your
inquiry has been escalated to me for review. To clarify,
once you confirm your request to delete your account, we
will delete your data from our systems within 30 days,
unless we are required by law or regulation to
maintain data for a given timeframe.
For example, your Genetic Information, date of birth, and
sex will be retained by 23andMe and our third party
genotyping laboratory as required for compliance with
applicable legal obligations, including the U.S. Federal
Clinical Laboratory Improvement Amendments of 1988
(CLIA), California Business and Professional Code
Section 1265, and College of American Pathologists
accreditation requirements.
It is important to understand that the information stored
is distinct from the raw genotype data available within
your account. The raw data we receive from the lab
has not been processed by our interpretation software
to produce your individual-level genotype data (in
your account).
You can read more about our retention requirements in the
retention of personal information section of our Privacy
Statement.
So, it's a CDC thing, not exactly 23AndMe fault. Save for the fact that 23AndMe advertised it's easy to delete data on their front page, but with the small print somewhere out there that you can't really delete the actual data. To be entirely fair, it was there somewhere (I think in their help center in some article about data deletion process) when I went to check out their privacy policies - because that's how I learned about it and reconsidered buying a test, but I guess most people don't read the small print until the deed is done.
My understanding is that they will delete your data on their side (leaving only a few things like payment receipts), but the lab won't because they legally can't.
For example, your Genetic Information, date of birth, and
sex will be retained by 23andMe
https://bourniquelaw.com/2024/10/09/data-23-and-me/
Most relevant bit:
"The law requires medical laboratories to retain some testing data and materials for various lengths of time, often 2 years, but as long as 10 years for some kinds of test."
My personal experience: I also failed the birth date test, even with my usual fake birth date. I also refused to provide a copy of my ID. They escalated my request and agreed to delete it anyway. All my samples and data are more than 10 years old, so they have no legal obligation to retain anything, which I pointed out to them in my confirmation.
I'm hoping they delete it but don't have the resources to do anything more than hope.
Quite possibly the most terrifying thing I’ve read recently.
If we are involved in a bankruptcy, merger, acquisition, reorganization, or
sale of assets, your Personal Information may be accessed, sold or
transferred as part of that transaction and this Privacy Statement will apply
to your Personal Information as transferred to the new entity.
They certainly don't seem interested in answering this question, no matter how many ways I phrase it. So much for "you are in control of your data", I guess it was all BS as some people predicted.
no response yet. I'm sure the privacy department is busy.
Based on the vagueness of the response (which law in particular, what are the details etc) I’d argue they won’t delete anything ever and claim that they thought they might run afoul of some law.
All of this is super predictable, but I wasn’t nearly cynical enough 15 years ago when I mailed my spit to them.
(Although that turned out not to be the biggest family scandal that was turned up by the genetic testing - the cautionary click through on the "relatives" page is no joke...)
You would be incorrect. HIPAA does not apply to 23 & Me (or, for that matter, to almost any direct-to-consumer product).
sigh
(Also keep in mind, customer service people have to argue with assholes all day long, staying polite but clear but on-target can go a long way. Stick to the topic and never give them an excuse to cut off communication).
Genetic testing done through the hospital for a completely unrelated procedure can impact your life insurance. ( Example genetic testing for a child) Minnesota State Law prevents health insurance from changing. Laws need to protect right to know, not just right to use genetic information.
And that mathematical information is only stored in the Secure Enclave, which means even if the entire Operating System (iOS) is hacked, the attacker still would not have access to your biometric information.
You should read this page. It goes into great detail about how much security there is around Touch ID and Face ID: https://support.apple.com/guide/security/face-id-and-touch-i...
Once your DNA is in some random company's DB it's there forever and available to whoever has the money
> it's hard to think about what harm can be caused by sending your DNA to... anyone.
Oh yeah ? Is this something that was determined by some kind of god and will be true forever ?
https://theconversation.com/life-insurers-can-charge-more-or...
> In Australia, life insurance companies can legally use the results of genetic tests to discriminate. They can decline to provide life insurance coverage, increase the cost of premiums, or place exclusions on an individual’s cover.
This is how they found the Golden State Killer. He left some DNA in the 70s. Worthless for a long time. But, a third cousin of his did a DNA test with a company, and the company provided the data to law enforcement, and they worked backwards to the killer.
I can think of no more sensitive biometric data than your dna.
I dunno, is that actually true? You leave DNA everywhere don't you? If someone really wanted tombert's DNA, they'd just have to follow me onto the train and swab the poll I'm grabbing, or grab the cup I was sipping on at McDonald's, or any number of things that could lead to a number of cells containing my DNA in a state that could be collected being dropped.
Your day to day DNA “leavings” aren’t neatly packaged up and associated with your other PII like name, location, email address, etc in a stolen, searchable dataset.
The issue with digital data is almost never the individual targeting case. Cheap mass surveillance is the concern.
What I do expect is my data is deleted from the production database and thus won’t be in any future backups/logs/etc. I guess to that end, they would need to keep a record of delete requests to re-delete them if they ever need to restore from backup.
If there is a data breach in a year where the company’s user data ends up on the internet, I expect to not be in that user list.
In a perfect world there would be some way to snap your fingers and delete it from every system - but we do not live in a perfect world. There is absolutely no incentive to build systems with this kind of requirement in mind. It's a waste of time and effort. Europeans will say "but hey wait! GDPR!" meanwhile the world keeps spinning and no one gives a shit.
Some data scientist who wasn’t even supposed to be able to view stuff managed to copy data from prod to dev, maybe by accident. Then an engineer who intended to be testing an in place transform pipeline actually wrote a copy elsewhere, maybe once for each test, and didn’t even notice. This stuff happened off and on for like fifteen years while projects and people all changed and no one cares, because sure there’s some vague gestures in the direction of compliance, security, and privacy but it’s just a token effort because anyone who really starts asking questions is let go for not being a team player.
Syncing updates to some “main” copy won’t make it easy to delete dupes.
Why a prod db with sensitive user info is being used in testing is a whole separate issue. Those can be deleted in their entirety.
Also, I think it's easy to misstep if we start thinking of it as a problem of "better regulators", since some of the blame lies on deeper legal-aspects around (data-)ownership, contracts, and what what happens in bankruptcies.
Even a company with great intentions may have difficulty ensuring the promises they made are kept long-term, especially if a bankruptcy court voids those promises in the name of repaying creditors.
My impression from all that I've heard is that you should have a backup retention policy, but otherwise there's no set upper bound on how long that may be. Not that the text of the GDPR breathes a word of it, though, everything's just a rat's nest of exemptions suggested by various authorities and other parties that haven't been tested in court.
There's a lot of complainig around how difficult that can be and the fact that EU legislation in general often does not like to precisely prescribe its requirements like what reasonable means, which can indeed be annoying.
You still need to remove it either directly or your retention policy for backups needs to be short enough that keeping it in backups for a while is judged as reasonable.
Nor do I see why I should particularly listen to what you say on this topic, given that others have similarly claimed authority from their lawyers or from their local jurisdictions.
> The second one linking to Verasafe's page on which it clearly says that yes, you should delete it.
Right before the "But don’t panic! Enforcement authorities know how difficult it is to fulfil this obligation in practice." section, where it elaborates on your ability to claim that stripping data from backups is technically infeasible, in which case you must promise to delete the data on restoration. Just like I've heard from everyone else.
It's always seemed paradoxical to me that the GDPR is branded as this unyielding hammer against companies improperly storing your data, only for it to be riddled with amorphous holes on every axis. "Data is data, period, unless it's not on a live production system, in which case the written vague rules it abides by are swapped out for a new set of totally undefined rules!"
> You still need to remove it either directly or your retention policy for backups needs to be short enough that keeping it in backups for a while is judged as reasonable.
And how might I know a priori what's the longest 'reasonable' retention term that a business might be permitted by its jurisdiction? The whole nature of backups is that they're useless right up until they aren't, so the marginal value of each additional week is difficult to measure in the first place. And when most concrete talk of 'reasonableness' is seemingly done behind closed doors if at all, I have no idea just how far other jurisdictions' ideas of a reasonable term might differ from mine.
But don't the GDPR and CCPA et al. create liability around failure-to-delete after receiving a request?
update users set deleted=true where uid=123345;
And the data is "gone".GDPR and CCPA etc made it easy to send a request for deletion that will most probably be a frontend gimmick. How much effort are they really going to put into going back in their backups and deleting all your entries? I'm pretty sure it must be the lowest roadmap priorities.
And it's amazing how financial liability has a way of getting things on a VP's feature radar that common sense doesn't.
The reason it was haphazardly handled prior was that there was no liability. Who cared? (legally speaking)
From working inside a T25 American retail company, I can say that we went top-to-bottom and rearchitected for traceability and hard deletes as a result of the CCPA.
If I ask Google to delete my data (EU citizen), I have trouble believing that they actually go through all of their cold storage backups where it was stored and make sure it's erased. At best I could believe that the process is designed in such a way that my soft-deleted data is unlikely to be recovered (intentionally or not) and maybe unlikely to be possible to link to my account.
Since the key is not used for end to end encryption, and backends still have access to the data (as long as the key lives), it has different requirements on how it needs to be protected. The biggest challenge is backing up the key itself, as losing it means losing access to all the user’s data by design. But backing up and obliterating a single key is much, much easier than doing so for a whole set of loosely associated data across many databases.
There is no end to end encryption involved here, so you don’t need to resort to such voodoo as homomorphic encryption.
Also, is an encrypted piece of data with a lost key truly deleted? What if the encryption gets cracked?
I would say it is more deleted than toggling a `deleted` flag in the db and less deleted than burning the tapes in fire.
I mentioned that: It makes the problem much smaller, as you only have one single, small piece of data to backup and and erase, instead of an ever-changing many-faceted blob of distributed data.
> Also, is an encrypted piece of data with a lost key truly deleted? What if the encryption gets cracked?
Oh boy. If simple symmetric encryption gets “cracked”, then you have much larger problems.
> I would say it is more deleted than toggling a `deleted` flag in the db and less deleted than burning the tapes in fire.
For all practical purposes symmetrically encrypted data that lost its keys is considered “random” data. If you “erase” data on a device before you sell it, most often it will just throw away the key to the disk contents nowadays.
There is generally an expectation that data may be retained in backups for a specified retention period, but will not be used or restored. Beyond that, it is up to the regulator to determine if this is meets the standard, but it's worth noting that there are notions baked into the text and the interpretations of the text of GDPR that account for reasonable costs and efforts.
Auditors can and do test and monitor for this, both using audit processes and demanding evidence, and by performing manual testing and experimentation.
83(5) GDPR, the fine framework can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher.
Maybe some mom-and-pop shop would bodge it, but any serious business has legal council and wisely listens to them.
23andme didn't implement strong customer identity and auth mechanisms, for example, and it cost them ~$30M to settle their data breach liability [1]. Take action, keep receipts, and failing good faith actions, step back while regulators and the legal system whack whack whack with a hammer.
[1] https://news.ycombinator.com/item?id=41536494 ("HN: 23andMe settles data breach lawsuit for $30M")
But the not the death of your data. That will be sold onto someone else.
Considered doing 23andMe at the hype peak, discovered they had avoided HIPAA requirements, read through their privacy policy, and marked them off the possibility list.
It was pretty clear the delta between sequencing costs and price they were charging consumers equaled how much they thought they could make from your genetic information.
And because they don't fall under HIPAA, your data is theirs after they get it.
PS: Sequencing costs were also falling rapidly, so it isn't that expensive to get it done.
I've had two members of my family die of ALS and was wondering what my odds are of getting it. One of the steps could be a full DNA sequence. In order to get to that step however, you have to do about six months of counseling, and several blood tests before they do the full DNA sequence. The counseling is to prepare yourself for the possibility of them essentially giving you a death sentence with the blood and DNA results.
I never got that far. My father convinced me its better not to know and live your life accordingly, rather than trying to live a life always looking over your shoulder.
But my primary did have the information on how I could get it done, so I would start there.
Just remember that when you request to delete some data on the internet, it doesn't actually get deleted (right away anyway). The best way to deal with this is not to give random sites your real information in the first place. However, that can be difficult or impossible when dealing with government, financial institutions or shopping sites.
Edit: And just to address questions below, the actual delete script was not run daily. I don't know how often it was run (I was not an SRE) but I presume it was run at least once a month. I have no idea how other companies do this.
Sounds like the laws worked in this case. They required data to be actually deleted, and it was due to those laws, and only due to those laws.
But if an internal lawyer really puts their foot down, we might put an intern looking at it for a couple of days.
I'd bet a finger this is how it works in most companies, and I know I've seen worse versions.
What annoys me more is how many companies give next to no insight into or control over data retention. It should be unambiguous how soon or often our data gets hard-deleted, if ever.
If anything gdpr made painfully obvious how sloppy some devs/companies are
Customer submits a deletion request. We have a fan out process that takes the deletion request and submits it to a bunch of different data locations. All of these must respond within 2 days (though the required time is 72h). Each of those data locations will queue up a job to remove access (soft delete) the data, and schedule a hard delete for 28 days in the future. If the customer says they don't actually want the data to be deleted, we cancel the data hard deletion and revert the soft delete. If nothing happens the hard deletion goes through.
GDPR has strict rules about how long data can persist after the deletion request is made.
And here we are 18 years later and some people still think they can delete this. What else do you believe in? The tooth fairy? Santa Claus? Come on.
Also what have you thought they can tell you? An archaeogenetics teacher described this belief as "they think we throw a bone in the machine which tells us it was half hun, half avar, half bear and spoke slavic".
Y'all surrendered an intrinsic part of the privacy of your, your sister, your brother, even your unborn children for snake oil -- and paid for the privilege. I can't even.
commence the downvotes but you can't put the toothpaste back once it's been squeezed out.
Have you seen how simple minded the masses are? They find it hard to think! They are barely sentient!
Creating a virus to target another country sounds like sci-fi at the best case, or a conspiracy theory[0] at the worst case.
[0] https://en.wikipedia.org/wiki/Ukraine_bioweapons_conspiracy_...
That's not how private insurance works. It's entire purpose is to manage risk against unforeseen issues, not clearly foreseen but for some reason a protected class. With better data, you can separate people out better, which means everyone basically just pays their own medical expenses. You could nationalize health insurance, but that's a heated debate in America right now.
> Creating a virus to target another country sounds like sci-fi at the best case
It could be done, today, with the data 23&Me has helpfully supplied and a few thousand dollars. I don't know why you would try to argue this point.
-----
You seem to be coming at this from an "every situation is a cooperative game" perspective. They're not. And in adversarial games, you need to limit the information other people have about you, even if you don't know how they will use it against you. So, even if I were wrong about how your DNA can be used against you, I would still be right about the need for privacy.